cvedb.io
CVE-2026-44224
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2026-05-12T21:16:16.137 · Last modified 2026-06-17T10:50:23.150

Summary

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without any ownership check or restriction on which groups can be assigned. A user with manage:users — a permission typically delegated to wiki moderators for account management — can set groups:[1] on their own account to self-assign to the Administrators group. After re-authentication, the fresh JWT carries manage:system, granting full site administrator access in a single mutation call. This vulnerability is fixed in 2.5.313.

Affected products

requarks — wiki.js

Does this affect you?

Add your gear to cvedb and we'll alert you only when requarks ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.